I recently read this article, “Will the U.S. government draft cybersecurity professionals?” Woah. Full stop.
My initial knee jerk read; every nation that has attempted to strong arm certain professions into serving the national interests has often found itself in a brain-drain situation. Once in a brain drain, these nations have then usually further locked down the ability of citizens and those with specialized training to move outside of the nation’s borders. Strange as it may sound, those in this predicament might have some feelings of resentment towards their home country. Interestingly, the skill set development may also lag as compared to other “freer” societies in which professionals of differing nationalities are able to interact with each other free of long shadows.
As a former military professional and contributor to the national defense, I would offer the following suggestions and observations to those nations considering how to bolster their talent pool
- Carrots, not sticks. Whether you fund the development of a cyber-cadre or seek to recruit them, consider at the end of the day these are people with their own goals and needs. Many look to the private sector for a combination of the following: compensation, work-life balance, culture, ability to innovate, ability to receive recognition in the public space.
- Inherent sticks to the position – will USG cybersecurity employees be able to travel abroad, work with international counterparts without the shadow of the US? This is a real concern, not only on the part of the traveler – but the perception of those persons by their peers abroad. How can the USG ensure cybersecurity professionals don’t become a proxy – real or perceived – of the USG?
- The recurrence of government shutdowns is doing the USG no favors in recruiting or retaining anyone, let alone cyber security professionals. I went through several as a defense contractor and basically got lucky, but I really don’t like counting on luck to bring home a paycheck. How can the USG ensure employees the work is stable?
- Human resources. I really can’t overstate this enough. When you put people through the rungs of the bureaucracy of USG selection and on boarding – not to mention their family (i.e. no relocation assistance, etc), it really can create a wall for the individual who wants to support the mission, regardless of the discrepancy in pay and culture. Make it easy, support the whole person.
So that was my knee jerk reaction. Upon actual reading of the Executive Order I have some more nuanced concerns.
The Executive Order appropriately identifies the lack of cyber security talent – it’s an issue everyone is facing.
Here are a few blurbs I found insightful:
b) The United States Government must enhance the workforce mobility of America’s cybersecurity practitioners to improve America’s national cybersecurity. During their careers, America’s cybersecurity practitioners will serve in various roles for multiple and diverse entities. United States Government policy must facilitate the seamless movement of cybersecurity practitioners between the public and private sectors, maximizing the contributions made by their diverse skills, experiences, and talents to our Nation.
(c) The United States Government must support the development of cybersecurity skills and encourage ever-greater excellence so that America can maintain its competitive edge in cybersecurity. The United States Government must also recognize and reward the country’s highest-performing cybersecurity practitioners and teams.
(d) The United States Government must create the organizational and technological tools required to maximize the cybersecurity talents and capabilities of American workers –-especially when those talents and capabilities can advance our national and economic security. The Nation is experiencing a shortage of cybersecurity talent and capability, and innovative approaches are required to improve access to training that maximizes individuals’ cybersecurity knowledge, skills, and abilities. Training opportunities, such as work-based learning, apprenticeships, and blended learning approaches, must be enhanced for both new workforce entrants and those who are advanced in their careers.
Sec. 3. Strengthening the Nation’s Cybersecurity Workforce. (a) The Secretary of Commerce and the Secretary of Homeland Security (Secretaries), in coordination with the Secretary of Education and the heads of other agencies as the Secretaries determine is appropriate, shall execute, consistent with applicable law and to the greatest extent practicable, the recommendations from the report to the President on Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce (Workforce Report) developed pursuant to Executive Order 13800. The Secretaries shall develop a consultative process that includes Federal, State, territorial, local, and tribal governments, academia, private-sector stakeholders, and other relevant partners to assess and make recommendations to address national cybersecurity workforce needs and to ensure greater mobility in the American cybersecurity workforce. To fulfill the Workforce Report’s vision of preparing, growing, and sustaining a national cybersecurity workforce that safeguards and promotes America’s national security and economic prosperity, priority consideration will be given to the following imperatives:
(i) To launch a national Call to Action to draw attention to and mobilize public- and private-sector resources to address cybersecurity workforce needs;
(ii) To transform, elevate, and sustain the cybersecurity learning environment to grow a dynamic and diverse cybersecurity workforce;
(iii) To align education and training with employers’ cybersecurity workforce needs, improve coordination, and prepare individuals for lifelong careers; and
(iv) To establish and use measures that demonstrate the effectiveness and impact of cybersecurity workforce investments.
(b) To strengthen the ability of the Nation to identify and mitigate cybersecurity vulnerabilities in critical infrastructure and defense systems, particularly cyber-physical systems for which safety and reliability depend on secure control systems, the Secretary of Defense, the Secretary of Transportation, the Secretary of Energy, and the Secretary of Homeland Security, in coordination with the Director of OPM and the Secretary of Labor, shall provide a report to the President, through the DAPHSCT, within 180 days of the date of this order that:
(i) Identifies and evaluates skills gaps in Federal and non-Federal cybersecurity personnel and training gaps for specific critical infrastructure sectors, defense critical infrastructure, and the Department of Defense’s platform information technologies; and
(ii) Recommends curricula for closing the identified skills gaps for Federal personnel and steps the United States Government can take to close such gaps for non-Federal personnel by, for example, supporting the development of similar curricula by education or training providers.
A separation between government and industry is good.
Blurring the lines between the two creates the perception – real or not – that there is a relationship in which one may use the arsenal of the other. While that may work in certain authoritarian regimes it does not reflect the principals of an honest democracy. In security parlance – separation of duties.
There are certain nations which do blur the lines between the two – and its not clear how receptive industry is to that relationship in those places – as the government generally is able to put their own people into those industries – whether by chance or otherwise. The US has pointed to this very relationship in the past to demonstrate the allegiance between a given entity and a foreign power to demonstrate the proxy nature.
Presidential Policy Directive 21 establishes the private sector is responsible for the protection of critical infrastructure. The USG has established the Information Sharing and Analysis Centers (ISACs) to provide the various industries a forum to discuss threat vectors and a pipeline to the USG, eventually via the Department of Homeland Security, since 1998. One wonders what the need this executive order is seeking to fulfill given the existence of PPD 21 already, which brings me to my next point. When hunting monsters be cautious lest we become monsters ourselves.
My primary concern is this Executive Order seeks to create a mechanism to support an offensive cyber program. At first glance that might seem fine, industry applying its best practices to enable the nation to protect its interests – but who defines those interests today? Tomorrow? Some might say John and Jane Public, but I don’t ever recall seeing them in the room. Yes, the public votes for representatives and to an extent industry with their purchasing power, but it is hardly an equal or consistent say into the day to day activities of the government. Which is all to say this – when the next advanced, potentially society crippling, set of cyber warfare tools gets lost or leaked, who is responsible for the collateral damage? When the power goes out or the sewage treatment facilities stop working, who remediates? Is it the government? Is it the industry who supported and developed said tools? Or is it just too bad for Mr and Mrs Public?
Imagine if the Manhattan project happened today and one of the various large corporations was identified as the primary skill resource? How would the public react before the bomb was dropped? After? This isn’t as far fetched as it sounds – we’ve already seen Google employees and members of the public calling on Google to drop its support of a Pentagon AI warfare program.
There is a certain hubris that I’ve seen occur when supplied with a credential – suddenly one becomes they who knows better. Whether that credential is a piece of paper, a badge or a gun, in some (not all) people there is a tendency to view that credential as a license rather than a form of identification and authentication. When empowered with the resources, the mission, and the authority do we all make the best decisions? The best decisions for who? Well that depends on who matters? Do the people of nation X matter today? Will they tomorrow?
Industry has enough potential ethical mires on its own without engaging in the quasi relationships this EO seems to allude to. Government would be better served to create its own military and not suggest the development of private militia which might one day compete for power.