This past Monday, I read a blog post by Bruce Schneier about how the United States needs to drastically rethink its cybersecurity strategy. In short, Schneier makes the case that the U.S. needs to sacrifice offensive intelligence, espionage, and cyber capabilities in order to reduce the attack surface for adversaries to exploit vulnerabilities. Instead, the U.S. needs to focus on defense and efforts on aspects such as supply chain audits and vulnerability management. For example, creating a list of vendors audited by the government that are safe to use is something he recommends, and it would not only help the U.S. government and private industries but is also necessary. While this may sound near impossible, it needs to be done.
In the wake of the SolarWinds hack, dubbed SolariGate because it is so much more than just one company, which saw the Russian SVR have unidentified access to virtually every branch of the U.S. government, departments of the executive branch, as well as thousands of private companies for well over 9 months before being discovered in December 2020, there is an absolute need to urgently reform the informational infrastructure that the U.S. private and public industry relies upon. This does not just mean physically with initiatives like “rip-and-replace” but also in terms of policies.
The recent espionage event carried out by Russia represents only the tip of the iceberg, and the level to which the U.S. has experienced an irreversible incident is clear. Right now, the government is treating this incident with the understanding that we are fundamentally compromised, as they should. It is bad, it will get worse, and our response relies upon an underdeveloped workforce and cybersecurity-focused nation.
On Tuesday, January 19, 2021, a commission on cybersecurity released a whitepaper detailing a roadmap for what the Biden/Harris administration needs to do in order to work towards, quite honestly, maintaining democracy and a world we want to live in. This came out a few days ago but is extremely informative and is exactly what the new president will be basing policies on and use to make important decisions related to cybersecurity. At least that’s the hope.
Out of 56,000 cyber-based jobs, the public sector currently only has 37,000 filled. This means that 1-in-3 positions that the government has set up to help with cybersecurity are vacant. For the private market, the number of vacant positions sits at around 500,000 and counting. The gravity of these numbers is not just that “you might make a lot of money if you go into cybersecurity” because you will probably get a job… It also means that you can be damn sure that the money you will make isn’t actually all that secure, even if it might be at this very moment.
The whitepaper states:
“To address unfilled federal cyber jobs in 2009, experts called for the White House cybersecurity coordinator to develop a federal cyber workforce strategy. Twelve years later, the U.S. federal government still does not have an effective cyber workforce strategy or any clear leader responsible for developing and implementing such a strategy.”
That last sentence is shocking and utterly gut-wrenching. You want to employ people, get money in pockets, and put the positive New Deal employment programs to shame? Make a federal cyber workforce program.
But of course, that’s hard to do when there is nobody to create one.
If there is one thing you read in this post, read the following paragraph on why digital literacy, civics education, and public awareness need to be promoted:
“Democracy is also threatened by adversary information operations, often cyber-enabled, that are designed to undermine public trust in democratic institutions. The pernicious narratives spread by these operations target the very notion of truth, convey an image of a system that is irrevocably broken, and exacerbate deep divisions. The process of building public resilience against this messaging starts with a renewed focus on civic education to remind Americans what democracy is about—that it is not inevitable but must be fought for, that it is worth fighting for not because it is perfect but because it is capable of positive change, and that each of us must be effective agents of that change through lawful means.”
One only has to look to the capitol on January 6 or the past four years in the U.S. to understand what this paragraph is getting at.
It underscores the importance of understanding history, both our own and past sociopolitical climates of the past, to understand how information is used as a driving force for enacting change. In order for this force to be denied an ability to negatively impact democratic freedom and a functioning society requires individuals in high-ranking positions in our government with a deeply rooted passion for topics ranging from the history of adversarial warfare to game-theory and informational campaigns like those pursued by the USSR in the past and those that the current Russian state routinely undertakes.
It also makes me wonder why kids aren’t being taught in school to use password managers, learn about email phishing, the dangers of social media in relation to privacy and social engineering, and that they themselves represent the biggest vulnerability that can result in compromised systems or malicious attacks. The answer, I believe, has something to do with the fact that even adults don’t understand this stuff yet never mind have the ability to teach it.
I would end by saying that cybersecurity at large is vague. The term carries with it a mystical connotation and most people don’t understand it. Even undergraduate cybersecurity curriculum is spent studying age-old concepts such as defense-in-depth, and when policies are observed, such as those from NIST or SANS, the goal is generally to familiarize students, not teach them how to think in terms of exploits and outside the box.
College students cannot approach cybersecurity material similar to how it is done in many other disciplines. Doing so will not enable them to understand and be able to think deeply about the potential solutions to new and emerging threats. They should also not think of cybersecurity like other majors because it requires the intersection of, as mentioned before, history, how humans are motivated and interact with each other, and more concepts that cannot be easily taught or acquired.
Just the fact that this whitepaper that came out recently will not be analyzed, even lightly, and discussed in many programs and in academia this semester points to a problem when it comes to creating any technology curriculum: it’s usually too old by the time it’s used.
The most I have ever learned about a topic like cybersecurity was when I was in a course where we spent the entire year writing research papers and presentations focused on distinct, current technology topics; I chose semiconductor technology, autonomous vehicles, artificial intelligence, and organic light-emitting diodes.
These topics aren’t related to cybersecurity, but the way I learned about them should be the approach taken in the world of cybersecurity.
Everyone, cybersecurity professionals, aspiring students in the discipline, or someone who knows nothing about the field, would be wise to understand two concepts: (1) doing nothing is the safest, most secure thing you can do because the more you move and are involved digitally increases one’s vulnerability and (2) there is no solution to achieve absolute security because the infrastructure and systems that cybersecurity strategies attempt to protect are not built on the foundation of security but usually revolve around convenience and cost.
Because the backbone of what we are trying to secure is imperfect and flawed, it is exactly why the imperfect strategies and practices that you, I, and the U.S. government utilizes in handling information systems need to change. In the end, cybersecurity is like a Band-Aid that is too small for a very large cut, and the blood is not going to stop anytime soon.
I am glad this whitepaper helped me realize this tonight. This was the first whitepaper I have ever read, and it will not be the last. And from now on, I am going to pay more attention to Bruce Schneier and some other related researchers I follow. We are what we read, and right now we need more minds focusing on “why” we need changes in cybersecurity so we can better address the “how.”