May 14, 2021 | 8 minute read
As we transition into a post-pandemic world, it becomes more pertinent than pessimistic to question, what life-altering circumstances must Americans prepare to withstand next? After all, there is still a lot to be concerned about, regarding the current state of the nation. As our economy recovers, we continue to grapple with serious concerns. Among the greatest potential threats to American citizens, and proliferating at a speed we have yet to outpace, are the borderless cyber threats to our national security, critical infrastructure, and economy. There are resounding, devastating consequences when these foundations are destabilized by a cyberattack.
Cyberspace is a vast wild west, meaning that there is no centralized, international policy and regulatory structure in place, to govern and manage damaging, disruptive, and deceitful acts being conducted by malicious actors. The SolarWinds attack is a harbinger (not the first) of what the US government can expect to see from the booming industry of global cybercriminal enterprises, and yes, cybercrime is a business model. Cybersecurity ventures predicts global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025. Global costs in damages are expected to reach $6 trillion USD in 2021.
In March, President Biden released his Interim National Security Strategic Guidance, a document echoing valiant urgencies of previous plans, initiatives, and legislation from both the Trump and Obama administrations. Where discrepancies lie between past strategies, is where we can now confidently determine what policies and postures will actively drive our nation towards becoming a force to be reckoned with, in cyberspace. The skills shortage has delayed the development of defensive and offensive cybersecurity, across public and private sectors. Workforce development, and initiatives derived, are moving at a snail’s pace, and the idiom “slow and steady wins the race” does not apply within this industry.
Echoes of strategies, from the not-so-distant past.
In 2003, the very first National Strategy to Secure Cyberspace was published by the George W. Bush administration. It delivered a concise message about society’s transition to a civilization dependent upon cyberspace, and also served as a response to the 2001, September 11th terrorist attacks. The document begins with, “Our Nation’s critical infrastructures are composed of public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking and finance, chemicals and hazardous materials, and postal and shipping. Cyberspace is their nervous system—the control system of our country.” It goes on to describe a list of what we hear parroted from our current government, nearly 20 years later, because back in 2003, threats and vulnerabilities, mitigating risk, cyber agility, cybersecurity awareness and training, and cyberwarfare were all familiarized concepts when speaking to our national security. In fact, it was in 2002, that the former president signed into legislation, the Department of Homeland Security (DHS), uniting 22 federal entities for the common purpose of improving our homeland security. It wouldn’t be for another 15 years, however, following Bush’s strategy, that a new National Cyber Strategy would be published by the Trump administration, in 2018.
Prior to 2018, the Obama administration made concerted efforts to align the country to cybersecurity initiatives that would have long-term, foundational impact. These included eighteen executive orders, such as the Cyberspace Policy Review of 2009, the creation and implementation of a Cybersecurity Framework by the National Institute of Standards and Technology (NIST) from 2013 to 2014, and the Cybersecurity Act of 2015. Obama emphasized the importance of the sharing of cyber threat information between private companies and the government, as well as empowering American citizens to take better control of their digital security. The summation of this administration’s efforts, over the course of 7 years, compiled into what is known as the Cybersecurity National Action Plan (CNAP), announced by the Press Secretary in February of 2016. CNAP was built upon lessons learned from cybersecurity trends, threats, and intrusions, of which three major attacks took place during Obama’s presidency. The first was the North Korean Sony Pictures Entertainment hack of 2014, which compromised sensitive, personal data of employees and executives. The second, the US Office of Personnel Management (OPM) data breach of 2015, by China, leading to the theft of millions of current, former, and prospective government personnel sensitive data. Lastly, the data breach and theft of voters’ personal information, social engineering, and hack of the Hillary Clinton campaign and government affiliates, conducted by Russia during the 2016 US presidential elections, that threatened the core of American democracy.
The National Cyber Strategy of 2018 imparted many of the same initiatives as its predecessors. However, the Trump administration included the first marker of a key distinction in strategic planning and offensive cybersecurity, or ‘Persistent Engagement’, which is skilled people. Developing a superior cybersecurity workforce was a major highlight of this plan, and it touched on creating a sustainable talent pipeline, implementing the NICE Framework as a standard approach for identifying, hiring, developing, and retaining a talented cybersecurity workforce, and awarding talent by highlighting cybersecurity educators and professionals. Executive orders directed workforce policy agendas, such as the expansion of US apprenticeships to 5 million, over 5 years, leading to developments like the Purdue Cyber Apprenticeship Program, and pivoting the role of the federal government as creator and monitor of these programs, to third party entities. Despite these past initiatives, and the Department of Homeland Security’s and their advisors at the Cybersecurity and Infrastructure Security Agency (CISA) collaborating with academic institutions, educators, and students, the workforce problem still remains. Last year, the problem was held under a magnifying glass when the infamous SolarWinds software supply chain attack took place over the course of many months in 2020, conducted by Russian hacking group Cozy Bear. Nine federal agencies, including DHS, and what is believed to be over 100 private sector companies were breached and infected. This gargantuan attack garnered international, and US bipartisan criticism and concern, for the immense lack of oversight and governance involved at the federal level.
The Current Outlook
The skills shortage is the single, greatest deterrent to a formidable presence in cyberspace, which is why an administration willing and ready to overhaul, and fully fund every initiative and policy in the queue is warranted. Since President Biden took office, several historically damaging cyberattacks have already occurred, including the Florida Water Systems hack, the Microsoft Exchange Server exploitation, the Washington State Auditor breach, and the most recent, Colonial Pipeline ransomware attack. Earlier this week, CyberScoop reported “Colonial Pipeline didn’t notify the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency of its ransomware incident, and CISA still didn’t have technical details about the attack as of Tuesday morning, the agency’s top official told senators.” The details brought to light in this attack, prompted President Biden to sign an executive order this past Wednesday, putting forth new mandates to prevent future cybersecurity catastrophes. Initiatives outlined in this order include: removing barriers to threat information sharing between government and private companies, implementing stronger cybersecurity standards in the federal government, improving software supply chain security, establishing a Cybersecurity Safety Review Board, creation of a standard playbook for responding to cyber incidents, improving the detection of cybersecurity incidents on federal government networks, and improving investigation and remediation techniques. Every initiative in this order is going to require people who have the soft and hard skills necessary to carry out the tasks implied. As history has shown us, a national cyber strategy without emphasis on skilled people is empty of any accountable actions, and the urgency of response to threats against the control system of our country and its citizens, cannot wait another 15 to 20 years.
People and Pipelines
It is still too early to tell where the current administration will steer cybersecurity priorities. Another distinction, between Biden’s strategy, and that of his predecessors, is the language used to detail initiatives, particularly when it comes to workforce development. In contrast, Biden emphasizes the importance of building a diverse workforce, stating, “We will expand our investments in the infrastructure and people we need to effectively defend the nation against malicious cyber activity, providing opportunities to Americans of diverse backgrounds as we build an unmatched talent base.” An unmatched talent base of diverse people, from all walks of life, would significantly bolster America’s presence in cyberspace, as a unified democracy and purveyor of ethical values. The people needed to make this a reality are out there, from low-income students and underrepresented minorities, to work-from-home moms, to active duty military and veterans seeking training and employment opportunities. The talent pipeline only works if all the key players are at the table and willing to invest their time, money, and efforts. Cooperation and collaboration across industry, academia, and the government is stressed and waning. The American way of life has always been dependent on the skills of its people, and their abilities to take our nation to new heights of commerce, industry, and policy.
CyberKnights Workforce Talent Portal
The future security of America’s economy and critical infrastructure hangs in the balance of policymakers, skilled workers, and the cooperation of stakeholders, in both private and public sectors. CyberKnights is a robust roles-based, skills-centric database and workforce talent portal, representing the standardization from the NICE Framework as a key tool for every industry where cybersecurity professionals are needed. This portal is free for use by individuals, employers, and academia to explore. Individuals who use CyberKnights can assess their soft and hard skills, create a skills portfolio, show interest in opportunities posted by employers, and more. Employers can search the talent pool, inventory existing skills within their company, identify skills gaps and match to talent, develop skills through partner certification providers, and much more. Academia can align their curriculum to the NICE Framework, leverage metrics, see what skills employers are looking for, connect with companies, and more.