Pentagon hiring binge won't guarantee more security

A Pentagon plan to hire another 4,000 cybersecurity professionals, for both defense and offense, will improve the employment and salary prospects of those with the right skills.

On that much, most cybersecurity experts agree. They are less confident, however, that it will significantly improve the nation's security from catastrophic cyberattacks.

The plan, leaked last week to the Washington Post prior to a formal announcement, would expand the Pentagon's cybersecurity force within the next several years by 500%, from 900 to 4,900 military and civilian personnel.

At the request of the Defense Department's Cyber Command, it would also expand the focus of the force from largely defensive to offensive as well -- a move that is highly controversial among cybersecurity experts.

Both outgoing Defense Secretary Leon Panetta and Homeland Security Secretary Janet Napolitano have warned several times in recent months of the increasing threat of a "cyber Pearl Harbor" or "cyber 9/11" from hostile nation states.

"The only question is whether we're going to take the necessary steps like this one to deflect the impact of the attack in advance or ... read about the steps we should have taken in some post-attack commission report,"Ã'Â William J. Lynn III, a former deputy defense secretary who has worked with the Pentagon to develop its cybersecurity strategy, told theÃ'Â Post.

Gary McGraw, CTO of Cigital, who has been a vocal opponent of taking the offense in cybersecurity conflicts, said neither the hiring nor its purpose is a surprise. "The Cyber Command is not new, and we knew they were doing offense. What do you think Stuxnet was?" he said, in reference to the computer worm used to attack Iranian nuclear facilities, generally acknowledged to have been launched by the U.S. and Israeli governments.

"This is just about staffing up," he said.

The Pentagon plan is focused on having the new staff address three major vulnerabilities in the U.S., the report said. "'National mission forces,' to protect computer systems that undergird electrical grids, power plants and other infrastructure deemed critical to national and economic security; 'combat mission forces' to help commanders abroad plan and execute attacks or other offensive operations; and 'cyber protection forces' to fortify the Defense Department's networks."

All of which are admirable goals, said Joe Weiss, managing partner of Applied Control Solutions, but without the right mix of skills, he said it may not improve security no matter how many people are hired or how much money is spent.

[See also: U.S. rattles preemptive cyberattack saber]

"I'm an engineer, so I understand how industrial control systems (ICS) work. Unfortunately, many IT people don't," he said. "Given the state of ICS technology, there probably will be a cyber Pearl Harbor, but we might not know it. There are minimal cyber forensics for control systems."

Weiss added: "If a plant shuts down or blows up, you can't hide that, but you may or may not know if cyber had anything to do with it."

Part of the problem, he contends, is that the IT security industry focuses on malicious attacks. Of 300 industrial control system incidents, four have killed people, four nuclear plants were shut down from full power, four major "cyber-related electric outages," and "a water company the pumped water from a Superfund site into the drinking water system."

"But they were unintentional, so none of them had the term 'cyber' attached to them," he said. "Even if something is unintentional, it's real, and it shows vulnerabilities that can have significant consequences."

"We need people who are both control-system and cyber experts, or at least willing to work together, and there aren't enough of those," he said.

Paul de Souza, founder director of the Cyber Warfare Division of the Cyber Security Forum Initiative, agrees that those with the right mix of skills are in high demand and short supply. "The main problem in the U.S. is to find cleared cyber operations professionals with full spectrum -- exploitation-offense-defense -- hands-on experience," he said.

Gary McGraw, who has been delivering the "build security in" mantra for years, says it is an old problem.

"What we need is security engineering -- building systems that are harder to attack," McGraw said. "We could hire a bajillion system administrators -- and we need some of those guys to configure networks and build firewalls -- but what we also need are software security professionals who are going to build better systems."

McGraw, Weiss and others say the U.S. is asking for more trouble if it goes on offense, because it is still so easy for cyber attackers to cover their tracks, or make it look like it came from an innocent party or country. "Offense is fine if you know who you're going after, like Iran," McGraw said. "But if you don't know for sure who it is, it's a problem. You have to watch out for the head fake."

In spite of U.S. officials' insistence that they are much better at knowing who launched an attack and from where, McGraw and others are not convinced. And if an attack is launched at the wrong organization or state, "it happens so fast, you can't say, 'Oops,'" McGraw said.

Weiss warns of a blowback effect. "There are maybe 20 vendors internationally for these [industrial control] systems, which are used in some countries that are not so friendly to the U.S," he said. "They do what they were designed to do well, which is operate reliably and safely for many years. But, security was not part of their design. If you start making them fair game, we're in a lot of trouble -- not just here but all over."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Department of Defensecybersecurityapplicationspentagonlegalwashington postsoftwaredata protectionhiringcybercrimeData Protection | Malware

More about Cyber Warfare

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place