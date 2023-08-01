Comment on this story Comment Gift Article Share

The cyber workforce plan: A strategy, some commitments and a request for specifics

The Office of the National Cyber Director fleshed out how it wants to expand and improve the U.S. cybersecurity workforce — a personnel problem that’s long proven difficult to conquer — in the latest of a string of cyber strategy documents that it released Monday.

The National Cybersecurity and Education Workforce Strategy aims to tackle the issue across four “pillars”:

Giving all Americans cyber skills;

Transforming education;

Building the national workforce; and

Fortifying the federal workforce.

It paired the strategy with commitments from agencies, the private sector and nonprofits to devote funds or establish programs.

Pick a study over the past year and you’ll get a different estimate of the number of vacant U.S. cyber jobs, ranging from 400,000 to 660,000 to 750,000. But whatever year or study, the figure is reliably in the hundreds of thousands, making it an intractable issue.

And the answer to the needs of the cybersecurity workforce doubles to include other benefits, said Camille Stewart Gloster, the deputy national cyber director for technology and ecosystem security.

“We must support the development of a strong cyber workforce,” Gloster told reporters. “That cyber workforce has to meet the demand that we have all heard about in filling hundreds of thousands of cyber job vacancies. That’s a national security imperative, an economic imperative, a human security imperative. But it also is an opportunity for good-paying jobs, good-paying middle-class jobs.”

The strategy itself

The workforce strategy follows two other strategy documents this year, the national cybersecurity strategy and an accompanying implementation plan.

Besides the four workforce pillars, the strategy also includes three “guiding imperatives.”

Make improving the workforce a “whole-of-nation” approach that draws on everyone, from the government to academia to industry.

Make development of cyber skills a lifelong one for Americans.

Make use of diversity and inclusion to expand the pool of eligible workers and draw on different perspectives to solve problems.

Each pillar then has several associated tasks. Expanding and enhancing the national workforce, for instance, calls for leaning more on community colleges as part of a way to focus hiring on skills “rather than merely credentials,” as the strategy states. To diversify the workforce, two tasks include recruiting veterans and changing immigration policies to bring in and retain foreign talent.

Acting national cyber director Kemba Walden said strengthening this workforce can draw on parallels from the Industrial Revolution.

“Today, the Biden-Harris administration seeks to strengthen the American middle class by bringing more of the workforce into this digital age, to keep the country secure, to increase economic prosperity and to ignite the next generation of American innovators,” she said at a an event hosted by the Atlantic Council’s Cyber Statecraft Initiative, within the Digital Forensic Research Lab.

In related documents, the administration released guidance sheets for workers, employers, educators and governments. It also spelled out commitments from agencies, such as the Department of Veterans Affairs and National Science Foundation; nonprofits, such as Craig Newmark Philanthropies and Girl Security; businesses, such as CrowdStrike and Google; and schools, such as MassBay Community College and Dakota State University.

Some outside thoughts

Industry wants to lend a hand to expand the workforce, and the strategy appeals to that desire, said Rob Duhart, vice president and deputy chief information security officer at Walmart.

“Government can't do it by themselves,” Duhart said at the Atlantic Council event, acknowledging a motif of the strategy. “We as industry want to be leaders here. We need to be leaders here. Cyber is becoming a business imperative. … What used to be a technical discipline that a bunch of nerds in the basement — of which I was one — think about, it's no longer that. We're seeing that grow and transcend, and the strategy is really focused on bringing others into that transcendence.”

Brandon Pugh of the R Street Institute complimented numerous elements of the strategy in a blog post. “Supporting greater participation by veterans in the cyber workforce is a laudable aspect of the strategy, as many veterans not only have valuable cyber training and experience already, but it also helps address veteran hiring challenges overall,” wrote Pugh, policy director and resident senior fellow for cybersecurity and emerging threats at the think tank.

The existence of the strategy, as well as the focus on diversification and other approaches, were all good developments, Clar Rosso, CEO of ISC2, a nonprofit that provides cybersecurity certifications, told me. But she’d also like to see some more specifics:

“The strategy mentions shifting burden away from individuals and small businesses, however it is not clear how that is actually being addressed,” she said in an email. “For example, a critical question I have is how are we specifically elevating the security posture of the 95% of small businesses with 100 or fewer employees who have no cyber professionals at all.”

“Would like to see more dialogue about hiring practices,” she said. “What are the innovative ways we are going to move people into jobs? How will we remove the significant barriers that prevent qualified individuals from entering — or staying — in the cybersecurity workforce .”

Mark Montgomery, senior director for the Center for Cyber and Technology Innovation at the Foundation for Defense of Democracies, also said that follow-through would be key. “The new National Cyber Workforce and Education Strategy is much needed,” Montgomery, also director of CSC 2.0, the successor to the Cyberspace Solarium Commission, said via email. “It tackles the federal workforce issues with a level of specificity that could lead to significant improvements. But it must be implemented properly by the Administration and Congress.”

Gloster told reporters that the Office of the National Cyber Director would release more information on implementation, timelines and related matters in the future.

The keys

White House panel recommends limiting FBI access to powerful surveillance tool

A White House advisory board has recommended new restrictions be placed on a key FBI intelligence-gathering tool, but the board argued against a long-demanded critique that authorities must seek a warrant before probing certain electronic communications, our colleague Ellen Nakashima and your newsletter host report.

“The recommendations released Monday by the President’s Intelligence Advisory Board come as the Biden administration is increasingly concerned about the prospects in Congress for renewing what it deems a crucial tool used to gather intelligence about foreign adversaries such as China, Russia, Iran and North Korea,” Ellen and Tim write.

“Officials have warned that a failure to re-up the program, known as Section 702 of the Foreign Intelligence Surveillance Act, could become ‘one of the worst intelligence failures of our time,’” their report adds. Section 702 expires Dec. 31 unless Congress reauthorizes it.

The surveillance authority allows the FBI and National Security Agency to gather electronic data without a traditional warrant based on probable cause when the target is a foreigner overseas and it’s for foreign intelligence purposes. “But because such conversations sometimes include Americans, there is a concern that Americans’ communications are being swept up without a warrant,” the report notes.

Among the recommendations, the board suggested the removal of the FBI’s authority “to query the database for evidence of crimes unrelated to national security,” they write. There are fewer than two dozen such queries per year, according to a senior administration official on a briefing call with reporters who spoke on the condition of anonymity under ground rules set by the White House.

The sweeping program has broadened over the years as intelligence officials argue the program is essential for national security purposes. It “now accounts for nearly 60 percent of the items in the president’s daily intelligence briefing,” according to the report.

California privacy regulator probes data practices of connected cars

The California Privacy Protection Agency will use its newly empowered authority to probe the data collection practices of new generation cars that are often or always connected to the internet, our colleague Joseph Menn reports.

Joseph writes: “The agency was established by a 2020 ballot initiative that toughened the California Consumer Privacy Act of 2018. As of July 1, it can conduct operations to enforce Californians’ right to learn what is being collected about them, the right to stop that information from being spread and the right to have it deleted.”

Car-based data collection has increased steadily in recent years as users leverage modern vehicle features that allow them to connect their phones for calling, music or navigation instructions.

Such information is oftentimes sought by businesses aiming to advertise their products to drivers, the report notes.

“Though phone connections beam detailed call logs and contacts lists to the automakers and their business partners, those companies have vague privacy policies, The Washington Post has reported. While California laws requires visibility for consumers, that is often hard to come by,” Joseph adds.

FBI finds that contractor purchased NSO tool

Days after the Biden administration blacklisted the contentious Israel-based spyware maker NSO Group, an FBI contractor closed a deal for an NSO surveillance tool, and the transaction has been discovered by none other than the FBI, Mark Mazzetti, Ronen Bergman and Adam Goldman report for the New York Times.

“When The New York Times reported in April that a contractor had purchased and deployed a spying tool made by NSO … for use by the U.S. government, White House officials said they were unaware of the contract and put the F.B.I. in charge of figuring out who might have been using the technology,” they write.

The deal was made with Riva Networks, a bureau contractor. “This particular tool, known as Landmark, allowed government officials to track people in Mexico without their knowledge or consent,” according to the report.

They write: “The F.B.I. now says that it used the tool unwittingly and that Riva Networks misled the bureau. Once the agency discovered in late April that Riva had used the spying tool on its behalf, Christopher A. Wray , the F.B.I. director, terminated the contract, according to U.S. officials.”

“But many questions remain,” they write. "Why did the F.B.I. hire this contractor — which the bureau had previously authorized to purchase a different NSO tool under a cover name — for sensitive information-gathering operations outside the United States? And why was there apparently so little oversight? It is also unclear which, if any, government agencies besides the F.B.I. might have worked with Riva Networks to deploy the spying tool in Mexico."

Riva Networks and chief executive Robin Gamble did not respond to the New York Times’s requests for comment.

Aeva Black joined CISA as the agency’s Open Source Security Lead, according to a joined CISA as the agency’s Open Source Security Lead, according to a Monday announcement

