The Need for Technical Cyber Defenders

In November of 2010 the Center for Strategic and International Studies (CSIS) released a white paper titled “A Human Capital Crisis in Cyber Security.” While some of the recommendations in the paper were controversial and were received with mixed reaction in the cyber security market, the basic argument of the paper was correct: Technical Proficiency Matters when it comes to Cyber Security Professionals.

Current events continue to validate this argument. Today’s cyber attacks are continuing to become more technically astute and effective. Gone are the days of simple denial of service attacks targeting websites and other internet facing IT systems. Today’s attacks target the intellectual property and secrets of organizations in every industry, profession and sector of the country. The stealing of information is a common occurrence where an organization may be infiltrated from across the Internet and lose its critical secret in a very short period of time.

These insidious attacks, sometimes known as the Advanced Persistent Threat (APT), often go undetected because the organization has no capability to identify these advanced attack methods.

Real life situations have shown that organizations that employ highly technical cyber security professionals in areas such as incident response, network defense, penetration testing or forensics analysis are in the best position to identify, quarantine and remediate these advanced types of cyber threats. The differentiator isn’t a device or an appliance. It’s the people who are able to use judgment and analysis at a deep technical level that make the difference.

The problem for our nation is this: we don’t have enough people with the right mix of technical cyber security skills to adequately protect and defend all our information systems. With each year that more systems are added to the Internet, the skills gap between the number of technically savvy cyber defenders and number of information systems continues to widen.

To echo the previous argument, in 2010, James Gosler, a veteran cyber security specialist who has worked at the CIA, the National Security Agency and the Energy Department made the following comment, “"We don't have sufficiently bright people moving into this field to support those national security objectives as we move forward in time.” Gosler estimated in 2010 that there were only 1,000 people in the entire United States with the sophisticated skills needed for the most demanding cyber defense tasks. To meet the computer security needs of U.S. government agencies and large corporations, he says, a force of 20,000 to 30,000 similarly skilled specialists is needed.1