Recommendations on cyber security for the 45th president… Use more hackers

r00tz Asylum Conference, 2016

r00tz Asylum Conference, 2016

First Published by TechCrunch on Jan 20, 2017 by Nico Sell & Raj Shah (@diu_x), Managing Director of Defense Innovation Unit Experimental at the United States Department of Defense.

2016 was an extraordinary year. A record number of security breaches affected billions of people worldwide, including cyber attacks that dramatically impacted the course of businesses and governments.

The Unites States, the world’s most connected nation, and the rest of the world will face a deficit of 1.5 million cyber professionals over the nextfive years whose jobs are essential to protecting critical networks and securing personal information. Fortunately, this crisis also presents a significant opportunity.

2017 can lay the groundwork for our nation to build the world’s greatest cyber workforce through improvements in education opportunities, economic incentives, and cyber awareness. To seize this opportunity, the next administration needs to develop an ambitious yet practical plan to accelerate the growth of our national workforce.

As part of the bipartisan Cyber Policy Task Force hosted by the Center for Strategic and International Studies, a group of the nation’s leading cybersecurity experts guided by Senator Sheldon Whitehouse and Chairman Michael McCaul, recently released recommendations for the next administration on bolstering US cyber defenses.  Accelerating public and private investment in our cyber workforce is critical to US economic growth and national security. Our nation’s cyber workforce needs to be a priority for the incoming President.

Given our backgrounds in security, we know it is critical that products and systems are built resilient to digital threats from the start. To tackle complex cyber challenges, traditional approaches to information security when security is an add-on are no longer adequate.

The rush of connected, innovative products, also known as the Internet of Things, may make businesses and households more efficient, but it also expands the attack surface against individual users, companies, and nations. If devices and services are insufficiently hardened, the risks could quickly outweigh the benefits.

Very few policy-makers foresaw that internet-connected cameras, toasters, refrigerators, routers, and TVs could turn into infected bots and disrupt large companies, resulting in millions in lost revenue and the potential loss of customer trust. As we grow more connected, it is not difficult to imagine similar attacks have far greater impact on the US and the world.

As our nation innovates and builds new technology, we must grow and empower our workforce to address these threats to technology companies, manufacturers, power generators, hospitals, and the government.

Information security is one of the fastest growing job markets in the United States.  Directing substantial private and public investment in cyber training programs is an important step towards boosting the economy as well as securing our infrastructure. The private and public sector are equally impacted by cyber threats and will benefit from investments in creating new opportunities for veterans, the unemployed, and groups currently underrepresented in information security.

The results of the 2016 US Presidential Election were in large part fueled by concerns over the economy and the decline of manufacturing jobs. Retraining and vocational programs will help address the immediate shortage of the entry-level specialists with strong potential to advance within this fast-growing, high-paying industry.

A strong and sizable cyber workforce is also critical to US national security organizations. The Department of Defense and Department of Homeland Security are both impacted by the dearth of cyber professionals. They too need a larger pool of cyber experts to recruit from.

And that is where hacking comes in as it is a very hands-on effort to meaningfully improve things and ideas by investigating new ways of using technology and hardware.

To understand how technology can be more secure, it is helpful to know how to break it. Ethical hacking, or hacking with the intent to improve things, can be a powerful mechanism to improve systems as well as capture the interest of younger Americans.

This approach, as we see at DEF CON and its kids’ version r00tz Asylum, can be successfully applied to all complex systems – from air traffic control to weapons systems. White-hat hackers around the world who engage in productive, responsible disclosure can help companies and governments boost their security.

r00tz Asylum Conference, 2016

r00tz Asylum Conference, 2016

The US must embrace the idea of expanding this cyber mission and ethos broadly.  Introducing white-hat hacking classes into the K-12 system would be a good start. The excitement of young students as they gain an understanding of technology and security is remarkable. Exploring apps and devices they rely on every day and how easily they can be compromised helps build a much needed culture change.

Such understanding inspires a curiosity to tinker with computers to make them stronger against potential adversaries. With hacking as their super power, kids are no longer just consumers; they become ethical creators responsible for ensuring that their communities are safe.

The growing demand for white-hat hacking skills is a powerful solution to meeting critical security and economic needs. Imagine what our country can achieve if we make security an accessible and attractive professional track for young people, veterans, and others looking to learn new skills.

Not only are committed public servants needed to defend the US against information security risks, but private companies – who own most of our nation’s critical infrastructure must also employ greater numbers of security practitioners.

We recommend that the 45th President introduce a landmark initiative to secure public-private funding to grow and train the cyber workforce in 2017. This joint industry-government commitment should address education, professional training, and public awareness. As cyber threat levels rise and the shortage of cyber skills grows more acute, we encourage the incoming administration to build the foundation for sustainable information security and economic growth: a strong, well-trained cyber workforce.