Hackers in High Demand

By Holly Gilbert Stowell

01 October 2014

Print Issue: October 2014

FROM 1955 UNTIL 1972, two Cold War nations battled against one another in the Space Race. Both the United States and the Soviet Union strived to outdo one another in spaceflight capabilities, the fi re being fueled largely by Russia’s launch of Sputnik, the first satellite to go into orbit, in 1957. This feat spurred fears for the United States that it did not have enough scientists, engineers, or mathematicians to beat the Soviets.

Solving such a shortage would start with a young person in the United States being inspired to enter one of the above fields; say an individual who was in seventh grade when the race started. By the time that person obtained a master’s degree, the year would be 1969, when the Space Race was slowing down. By 1972, “the era of endless growth came to a shuddering end; many layoffs ensued. Had this individual stayed the course over an entire career, there would have been ups…and downs, and it all may have ended well, but not nearly as well as it looked when the educational commitments were made.”

That’s the example used in a report, released in June by the RAND Corporation, titled Hackers Wanted: An Examination of the Cybersecurity Labor Market, to illustrate a real possibility for the high demand that exists now in the United States for cybersecurity professionals. However, while it outlines the Space Race comparison, the study calls such an outcome “unlikely,” mainly because there is a growing reliance on networks, enormous government interest in the field, and ever-evolving, advanced threats in cyberspace. “As long as the threat exists, there would seem to be sufficient demand for cybersecurity services,” the study states.

The RAND report looks at the job market for cyber professionals with a particular focus on those who are “employed to defend the United States,” including federal government and private-sector jobs, then examines the responses currently underway to solve that shortage. It makes several recommendations for potentially addressing the problem.

The study begins by examining a number of comprehensive reports on the “cybersecurity manpower needs,” conducted by companies including Booz Allen Hamilton, the Center for Strategic and International Studies, and the Department of Homeland Security’s Homeland Security Advisory Council. One message the report makes clear early on is that a rigorous definition of a cybersecurity professional does not exist, due to the various cyber issues that need addressing, and the different ways in which agencies and enterprises classify job functions. But, as the report states, “Their underlying message is the same: A shortage exists, it is worst for the federal government, and it potentially undermines the nation’s cybersecurity.”

Martin Libicki, senior management scientist at the RAND Corporation and a coauthor of the study, says that the United States did not get into the shortage overnight, and that it will not be solved in as much time, either. “The creation of additional supply, which is to say the creation of people who are adept at cybersecurity, takes a long time,” he tells Security Management.

He compares the lack of cybersecurity professionals to shortages in the oil market—if the price of oil doubles today, it will take a while before the increase in demand is met. “You have to find the reserves, drill the wells, extract it, refine it.”

The challenges faced by enterprises when hiring cybersecurity professionals are varied. Larger companies, especially in the private sector, are able to pool existing resources and train employees through in-house programs. “The larger organizations—both private and public—have found ways of coping with tightening labor markets, in large part through internal promotion and education, a route that is less attractive to smaller organizations that (rightly) fear that those they expensively educate will take their training to other employers,” the report states. Often, large organizations can also offer more competitive salaries to attract the most talented, experienced workers.

While some government organizations have difficulty competing with private-sector companies, large military defense entities such as the U.S. Air Force or intelligence agencies like the National Security Agency (NSA) have a lower turnover rate for cybersecurity professionals. RAND researchers conducted interviews with the Air Force and learned that the organization is “satisfied that they can get their basic cybersecurity needs met, but this may be true, in our observation, because they do not rely on attracting upper-tier professionals to do so.” While the NSA is more likely to outsource its IT security jobs, RAND found in interviews with the agency that it loses no more cybersecurity professionals “to voluntary quits than to retirements.”

There are a number of policy changes the report explores to solve the shortage. One of those is the oft-touted concept of altering U.S. immigration policy to make it easier for foreign nationals with cyber skills to enter the country. “Despite the general merit of such ideas, it is easy to exaggerate how much this would help,” the report states. “A large share of cybersecurity work can be carried out overseas…and requirements for U.S. citizenship limit the help that increasing the number of such individuals would provide to meeting national security needs.”

Importantly, RAND points out that more secure system and software programmers are needed to create more hardened networks from the start, which could possibly decrease the demand for cybersecurity professionals. The study says that education policy plays a large role in addressing the shortage. Libicki says getting students interested and involved in cybersecurity earlier in life, especially during the middle and high school years, could help address the shortage over time. He points out that universities have recently stepped up to the plate in providing more cybersecurity-focused education. The report states that schools are getting more specific in their cybersecurity offerings. “Universities have also done a credible job finding individual niches to explore: among those we interviewed one specializes in industrial control systems, another in applications at scale, a third in cybersecurity management, and a fourth in cybersecurity public policy,” it reads.

One company getting involved with students and cybersecurity is ESET, which hosts an annual Cyber Boot Camp for highschoolers at its North American headquarters in San Diego. The students spend a week learning “ethical hacking” skills in a network that replicates a corporate environment. Students must sign an agreement stating they will only use the skills learned at the camp for good. “When we bring students into what you could call a hacking school, we take very seriously the need to direct them appropriately,” says Stephen Cobb, senior security researcher at ESET.

Cobb says that the RAND report does tackle many of the challenges in cybersecurity staffing, but fails to address one critical component fully enough: cybercrime. “I would have liked to see more analysis of the relative merits of dedicating resources to cybercrime reduction rather than staffing for cybercrime response, particularly as cybercrime is the primary driver of demand in the private sector,” he says.