After seeing this come across my news feed and several people comment on it, I thought I’d dump some thoughts. Maybe someday I’ll collect this into a more coherent editorial, but for now this will have to do (lots of code to write, haha).
Basically, if you didn’t read the article, the White House Military Office had a piece of malware installed on it through a spear-phishing attack. Someone clicked on a link in an email that infected their system. The White House has confirmed it, but also confirmed what I suspected – it was on a declassified civilian network and not the ones with the “nuclear codes” or other top secret information. And while everyone freaks out over this, I’d like to present some thoughts on why the WHMO hack is less important than you think, and this other problem is far more urgent than anyone, IT professional or otherwise, realizes.
My biggest fear is not that the US Government is going to get hacked and a nuclear weapon is going to be launched. What keeps me up at night is the fact that hundreds of thousands of US businesses don’t maintain any sort of security in their computer systems. Estimates have put the figure as high as 85% of small to medium businesses are not doing enough to secure themselves and are therefore vulnerable. Their failures are not negligence either. Technology has progressed at such a high rate, the systems administrators have hardly been able to keep up. Information Security used to be a job that could be managed by the administrators, now it’s such a complex science(see: art) that you need highly specialized people just to meet requirements. This is a very hard subjects for Republicans and Democrats alike. Democrats cry out for regulation. Republicans cry out for defense spending.
Here’s the problem with both: there is no where near the resources needed to do either. Same with Republican defense spending. You can give the DoD all the money in the world or regulate all you’d like, we simply don’t have the human capital to protect the countless computer networks our world has grown to rely on. Half the reason US Government networks are insecure is the man power. Regulation auditors or Cyber “forces”. Take your pick, the skill sets required for each are very similar.
And the estimates right now for human capital say we need 10,000 top tier cyber experts immediately and another 30,000 over the next 5 years. Currently, it’s estimated that there are less than 1000 people in the United States with enough skill to be effective. The Chinese can hammer our government networks all they’d like. They do, but don’t get far. Trust me. I’ve worked closely with several people on this problem. Alan Paller, Chair and Director on Board, at the SANS Institute as well as Karen Evans, Former CIO of the United States under President Bush, have both extensively researched this lack. Here’s a paper delivered to President Obama in November 2010 outlining this issue.
Hackers also hammer any business they can in the United States, with most small businesses completely oblivious to their penetration. They infiltration, they steal – and usually not money, mostly intellectual property – and they spread. They maintain a low profile and most anti-virus that even up to date won’t protect against it. Good luck having your contract IT worker cleaning them out. As the young generation grows up learning technology, it becomes taking candy from a baby to do these things. If Sony’s breach showed us anything, it was that even the biggest companies are extremely vulnerable. And the best hackers? You never hear about their work. That’s how good they are.
It’s these businesses that are being hurt, and in turn our economy, by this cyber “war”. Being part of that elite 1000 has motivated me to attempt to grow the size. Although I’m blessed with some of the best job security of any career field in the world right now, it pains me to see us losing this fight. I have dedicated a substantial amount of my time to volunteer high school and college programs geared towards training and identifying the best young cyber talent in the country and put it on a path to an effective career. So far in the US Cyber Challenge (USCC), we have brought through over 1000 competitors nationally who have shown potential in the cyber field and gotten them in better training programs.
How do I know these programs work? I was one of them. I came through the US Cyber Challenge in the Summer of 2010. I’ve since dedicated as much time to them outside of work as possible. I also have strongly supported the Collegiate Cyber Defense Competition (CCDC). I was a competitor throughout my time as a student at the Rochester Institute of Technology and also as a volunteer red teamer, both regionally and nationally. CCDC now has over 100 schools competing in a national bracket. It is truly the NCAA of cyber security. Dwayne Williams and his staff are the best in class for competitive cyber security.
The biggest gap in security we have is security education. And as much as I have spoken about above, there is still a huge need.
- We need to find and groom the best young talent to increase the work force.
- We need to re-tool our current IT work force with more security knowledge that they can apply to their jobs.
- We need to bring security into the mainstream. Typing classes are nice, but with kids sitting behind screens from such young ages, it’s important that we train all youth in good cyber “hygiene”.
Wherever you fall in those three points, make a difference. The safety of our digital world depend on it.