Friday, July 23, 2021

Cybersecurity’s Sputnik Moment

Ryan Craig
Senior Contributor
FORBES
Education


One of the most popular petitions on Change.org makes this eccentric demand: “We want Jeff Bezos to buy and eat the Mona Lisa.” While the New York Times covered the petition by investigating whether buying and eating the world’s most famous work of art is legal (probably), left unsaid was how the petition descends directly from the greatest satire of all time. In A Modest Proposal, Jonathan Swift pondered the dual challenges of Irish poverty and overpopulation before reaching a surprising conclusion: poor Irish should sell their children for rich Brits to eat. While the world’s richest man hasn’t yet responded (unlike Lord Bathurst, who told Swift he shared the proposal with Lady Bathurst, but that her preference was that their boy become a lawyer so “instead of being [eaten] himself, he should devour others”), Change.org’s food-for-thought satire of monstrous inequality has attracted over 16,000 signatures and comments such as “It’s Gluten Free,” “This will solve global warming,” and “Gobble da Lisa.”

No one enjoys good satire more than I do. But it occurred to me that given the unprecedented increase in cyber attacks on infrastructure this summer, it won’t be long before the lights go out in the Louvre. And if we won’t be able to see the Mona Lisa anyway, why not let Jeff Bezos eat it?



Stick a Mona Lisa in this man's mouth AFP VIA GETTY IMAGES

There’s no Change.org petition to stop ransomware and other malicious cyber activities. I’m guessing for two reasons: (1) It would put a big target on Change.org; and (2) It’s not remotely funny. The cyber crisis has emerged as the #1 threat to our national security. On top of chronic cyberwarfare from Russia’s GRU and SVR, China’s PLA units 61398 and 61486, and North Korea’s Bureau 121, America now faces tolerated if not sanctioned hacking and ransomware from Russian groups like DarkSide and REvil (i.e., Ransomware Evil) as well as a rogues’ gallery of cyber criminals. This week we learned that the recent massive breach of Microsoft Exchange was actually sponsored by the Chinese government (paying criminal groups). By targeting critical infrastructure like electricity, gasoline, food, hospitals, schools, and now businesses that make software installed at hundreds of thousands of companies, a single attack can victimize tens of millions of Americans. While there are no official cybercrime statistics, as of last month insurance claims were up 300% year-over-year. And in the past few weeks, cyber ransoms have exploded.

The clear and present cyber danger hearkens back to 1957 and the launch of Sputnik. When Russia’s predecessor lofted the first satellite into orbit, America was shocked. Driven in part by wall-to-wall media coverage (the New York Times ran 279 articles in the next 3 and ½ weeks, more than 11 per day), Sputnik led to sky searching for Russian rockets raining down on our heads and an era of ducking and covering.

Sputnik also led to national navel gazing about a science skills gap. In Washington, it spurred passage of the National Defense Education Act, a quadrupling of funding for the National Science Foundation, and the creation of NASA, all of which prioritized and revolutionized the teaching of math and science with the goal of closing the gap. The resulting innovation played a major role in winning the Cold War 32 years later.

32 years after the end of the Cold War, we’re under constant attack from hostile governments and cyber scum seeking to use technology to steal, destabilize, and shut down America. We’re (digitally) ducking and covering. So why aren’t we experiencing a Sputnik moment for cybersecurity? It’s now obvious that the flipside of digital transformation is an urgent need for digital resilience. While media coverage of this summer’s cybersecurity crisis has been robust (although a long way from 11 articles a day), we’re not seeing Sputnik-level panic from any sector – more crickets than crisis.

Here’s what seems to be keeping us from seeing DarkSide like we saw Sputnik:

1) Complexity


The digital architecture of any organization of scale (and vintage i.e., not recent) is now breathtakingly complex. The need for connectivity and systems integration across the supply chain and customer base has led to layers of software and platforms riddled with open seams and jerry-rigged connections that are extremely hard to safeguard from malfeasance. Add to this a rapidly growing number of connected cloud servers, IoT and BYOD (bring your own device, exacerbated by work-from-home), and complexity increases exponentially. The U.S. now has over 1.5 billion IP addresses, 4x our biggest digital rival (China). All it takes is one point of weakness – or more likely human error – and goodbye data.

If the alphabet soup of acronyms is any indication, enumerating enterprise cybersecurity risks is about as fun as seeing how high you can count (i.e., quite high, not fun). At the same time, rocket science is also pretty complex (i.e., not “not rocket science”). So complexity and not fun can’t be the only or even primary reasons.

2) Defensive


Cybersecurity is all about playing defense, where America doesn’t have a great track record over the past few years. Our Covid defense fell far short of expectations. And our porous defense to slow-motion disasters like climate change is even worse. But cybercrime isn’t happening in slow motion – more like double or triple time. (Unlike Covid, a crippling cyber attack on national infrastructure wouldn’t necessarily close schools; it might do us the favor of closing remote schooling, although I guarantee certain teachers unions and pliant school districts would find a reason to close schools.)

The primary problem is that it’s hard to get excited about cyber defense, particularly a multi-year, multi-decade defensive effort to preserve the digital status quo. Sputnik shock spurred a response that was about much more than defense. It was about establishing a new frontier (the final frontier) for a nation that closed what was thought to be its last frontier three generations earlier. That was a key part of America’s Sputnik moment.

So can we dream up a relevant frontier that will rouse us from cyber slumber?

3) Talent


The message of Sputnik was clear: America needs more rocket scientists. Government, schools, and business heeded the call and responded with a coordinated effort: government funded, schools educated, and employers hired. It all worked so well, the best way to describe it was – in the immortal words of Neil Armstrong looking back from the moon – “gee whiz.”

In contrast, the cybersecurity talent machine awaits assembly. While cybersecurity programs pop up at colleges and universities, most are master’s degrees that cost $25,000+ and, as Kevin Carey notes, “heavily debt-financed, marketed very aggressively through online web advertising, [and] purport to provide very specific economic opportunities in a given field.” At the same time, cybersecurity bachelor’s degrees aren’t a panacea; they’re only marginally faster + cheaper and the very specific skills demanded by employers are more easily and naturally learned in a work environment than a classroom as part of a 3-credit course. Much of what passes for cybersecurity coursework at colleges and universities is out-of-date, out-of-touch, and disconnected from entry-level industry-recognized certifications like SSCP, CompTIA Security+, and GSEC.

So employers aren’t solely at fault for transforming entry-level cybersecurity jobs into oxymorons via certification and experience inflation (see e.g., Glassdoor post for entry-level security operations center (SOC) analyst position demanding “bachelor’s degree, at least four years of experience, including time doing penetration testing, digital forensics and vulnerability assessments; and professional certificates”). Nevertheless, employers are the primary architects of “this self-licking ice-cream cone of misery” known as the cybersecurity skills gap. According to international cybersecurity organization (ICS)2, there are nearly 600,000 unfilled cybersecurity jobs in the U.S.; we’re missing an entire cybersecurity city.

Just as Democrats have spent years using Green Jobs to mainstream the fight against climate change, jobs can help galvanize a Sputnik moment for cybersecurity. In an era with far too few clear pathways to good digital jobs, digital defense has the potential to lift up hundreds of thousands of American workers and their families, while giving hope to millions more. These are good jobs that pay over $80,000 to start and serve as pathways to even more lucrative careers (here are five positions that average over $200,000) with impressive job security (“a guaranteed job for life”). And as cybersecurity is now indispensable to so much of our digital architecture, entry-level analysts aren’t stuck in the SOC, but perfectly positioned to pursue dozens of other lucrative tech careers.

Jobs and socioeconomic mobility are the right frontier for two more reasons. First, as Tim Herbert, executive vice president for research at CompTIA notes, “you don’t have to be a graduate of MIT to work in cybersecurity.” Moreover, industry experts agree you don’t need a degree at all. Despite the complexity of the field, an entry-level position in cybersecurity “is not rocket science”; becoming a pen tester or incident response analyst doesn’t require years of formal training.

Second, cybersecurity has a major advantage over other sectors with huge (albeit not existential) skills gaps: the action isn’t happening inside big, sclerotic companies, but rather at cybersecurity service providers. While some large employers find a need to employ hundreds or even thousands cybersecurity employees (JPMorgan Chase reportedly 3,000), the trend is to outsource as much as possible to managed security service providers (MSSPs) who actually know what they’re doing. It makes sense: threats to JPMorgan Chase are similar if not identical to threats to Citibank or Chevron. MSSPs see it all and are able to leverage experience with one client for the benefit of others.

So MSSPs and other cybersecurity product and service providers are best positioned to close the cybersecurity skills gap. They know exactly what talent they need and some have developed deep expertise in training. But they could use some encouragement to begin scaling talent pathways via investments in sourcing, screening, hiring, and training talent they’re not tapping today. Because as it stands, America’s Rube Goldberg-esque cybersecurity talent machine comes with this disclaimer: some assembly required, batteries not included.

Federal funding provided the power to respond to Sputnik. It could do the same in this moment. So as the Biden Administration strives to drop an additional $300 billion into America’s colleges and universities and hand over an additional $10 billion to unions running apprenticeship programs in the building and construction trades, a fraction could be profitably diverted to support or subsidize cybersecurity pathways in places like MSSPs where training is directly aligned with employment.

If the government can go this far, why not fund a new CCC? Instead of FDR’s Civilian Conservation Corps, which employed three million young Americans to build public works that continue to serve the country today, Biden’s CCC would be a Civilian Cybersecurity Corps. Just as the Israeli Defense Forces provides young Israelis with highly relevant digital career-launching, innovation-spurring training, the CCC could do the same, plus rekindle the American Dream, plus ensure we still have an America to dream about. This may not be a modest proposal. But it’s exactly what we need to combat inequality and keep the Mona Lisa out of Jeff Bezos’ ravenous maw.

Follow me on Twitter or LinkedIn. Check out my website or some of my other work here.

No comments: