A Cyber Pipeline
Print Issue: February 2018
It was a tense moment. Twenty minutes before taking the stage at the 2016 RSA Conference in San Francisco, U.S. Secretary of Defense Ash Carter had signed an agreement to create the first U.S. government bug bounty program.
"I was sitting in the front row there, just shaking my head and praying everything would work out the way it was supposed to," says Lisa Wiswell, former U.S. Department of Defense (DoD) bureaucracy hacker who oversaw the bug bounty program.
And work, it did. Dubbed "Hack the Pentagon," the program allowed 1,400 security researchers to hunt down vulnerabilities on designated public-facing DoD websites. More than 250 researchers found and reported those vulnerabilities to the DoD, which paid them a total of $150,000 for their efforts.
"It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million," Carter said in a statement.
Based on the program's success, the DoD launched "Hack the Army" in 2016, followed by "Hack the Air Force" in 2017, to continue to address security vulnerabilities in its systems. This method of crowdsourcing cybersecurity is one that many organizations are turning to as they continue to struggle to recruit and retain cyber talent.
According to the most recent Global Information Workforce Study, the cybersecurity workforce gap is on pace to increase 20 percent from 2015—leaving 1.8 million unfilled positions by 2020.
"Workers cite a variety of reasons why there are too few information security workers, and these reasons vary regionally; however, globally the most common reason for the worker shortage is a lack of qualified personnel," according to the report's findings. "Nowhere is this trend more common than in North America, where 68 percent of professionals believe there are too few cybersecurity workers in their department, and a majority believes that it is a result of a lack of qualified personnel."
To help address this issue, study respondents reported that more than one-third of hiring managers globally are planning to increase the size of their departments by 15 percent or more. However, the report found that historically, demand for cybersecurity talent has outpaced the supply—which will continue to exacerbate the current workforce gap if the trend continues.
"It is clear, as evidenced by the growing number of professionals who feel that there are too few workers in their field, that traditional recruitment channels are not meeting the demand for cybersecurity workers around the world," the report explained. "Hiring managers must, therefore, begin to explore new recruitment channels and find unconventional strategies and techniques to fill the worker gap."
One technique to fill the worker gap is being used by the FBI, which has a long history of workforce training and development to keep agents—and Bureau staff—at the top of their game to further its mission.
In an appearance at ASIS 2017, FBI Director Christopher Wray explained that the Bureau has created a training program to identify individuals with cyber aptitude and train them so they have the skills necessary to identify and investigate cybercrime.
"We can't prevent every attack or punish every hacker, but we can build our capabilities," Wray said. "We're improving the way we do business, blending traditional techniques, assigning work based on cyber experience instead of jurisdiction, so cyber teams can deploy at a moment's notice."
In an interview, Assistant Section Chief for Cyber Readiness Supervisory Special Agent John Caliano says the FBI is looking internally to beef up all employees' cyber abilities.
"There is a notional thought that all the cybersmart people are in the Cyber Division," he adds. "There are a lot of very talented people outside the Cyber Division, some have worked in other areas…the goal is to start to pick up in the investigative realm and lift the abilities of all employees, so they have a basic understanding of cyber and digital threats today."
To do this, the FBI has employees undergo a cyber talent assessment which looks at the skill sets they brought with them when they were hired, the skills they have learned on the job, and their aptitude for formalized and informalized training on cybersecurity and technology.
The FBI then sorts employees into three categories: beginners, slightly advanced, or advanced. Employees are then sent to outside educational courses, such as those provided by the SANS Institute or partnering universities, to learn more about cybersecurity and bring that knowledge back to the FBI. The FBI also works with the private sector to embed employees to teach them specialized skills, such as how SCADA networks operate.
In 2016, Caliano says, the FBI identified 270 employees for cyber training who were not part of the Cyber Division. Approximately two-thirds of those employees were categorized as beginners at the outset, and Caliano says the Bureau plans to continue the assessments and training for the foreseeable future.
And for its specialized teams, the FBI is continuously developing in-house training that will eventually be offered to the entire FBI.
"One day, all FBI employees will take these courses and pass these courses," he says. "People will understand what depth and defense mean, how to secure networks, and trace IP addresses."
These specialized teams include its Cyber Action Team (CAT), which is made up of employees who deploy when a major cyber incident occurs. For instance, when the Sony hack occurred in 2013 the initial FBI response team had a few members who were also CAT members who were sent to the scene.
Once the FBI became aware of the severity of the incident, it sent a full CAT to Sony's headquarters to sit with the network operators to comb through their logs to see how the attack spread.
While this training provides professional development opportunities to current employees, the FBI is also focused on identifying future talent that can be recruited into the FBI.
"We can't compete with dollars, but we can compete on mission," Caliano says, adding that the FBI often gets to look at cyber threats and address them in a way that the private sector does not, providing employees a "deeper sense of fulfillment."
To attract talent, the FBI has a variety of initiatives including an Honors Intern Program open to all college students. It also has a postgraduate program where the FBI will pay for a graduate or doctoral student's degree. It's also reaching out to students at the high school level through its Pay It Forward program, which engages students in math, science, and technology who might show cyber aptitude.
"We are, as a workforce planning objective, training at schools—driving down to the high school level," Caliano tells Security Management.
Another new recruiting channel has been championed by Wiswell since she left the DoD in 2017. After leaving the public sector, she went to work at GRIMM, a cybersecurity engineering and consultant firm, as a principal consultant. One of her main responsibilities is to oversee its GRIMM Academic Partnership Program that runs the HAX program.
Through HAX, undergraduate cybersecurity clubs can participate in friendly competitions and gain hands-on cyber experience. GRIMM has partnered with Penn State University at Altoona's Security Risk Analysis Club and Sheetz Entrepreneurial Fellows Program, the Michigan Technological University (MTU) Red Team, George Mason University Competitive Cyber Club, and the Rochester Institute of Technology's Rochester Cybersecurity Club.
Throughout the academic year, participants in HAX break into teams to complete programs designed by GRIMM engineer Jamie Geiger that are similar to computer Capture the Flag challenges. While participants have the option to compete individually, Wiswell says she encourages students to create a team to hone their communication skills.
"A lot of this field has an individualist focus a lot of the time, and what's really needed is the ability to communicate well, both up and down, to work well on teams, and to have effective analytical skills," she explains. "The kinds of things that you learn well by doing these kinds of team-based challenges."
GRIMM chose these programs in particular to create a talent pipeline for the company, which has offices in the Washington, D.C., area and in Michigan—near two of the universities it's partnered with. By engaging college students through HAX, GRIMM hopes to create a talent pipeline and increase diversity on its own staff.
"HAX is an effort to do both those things," Wiswell says. "We are kind of do-gooders on one hand. If folks that are participating in the program have no interest in coming to work for GRIMM, that's fine. We just hope that they use their talents and go somewhere."
That's why the challenges and the experience to connect with people working in cybersecurity are important, according to Wiswell, because it helps students make informed decisions about what they would like to do after graduation.
"We're trying to think outside the box in ways that students feel very well rounded, so students can make decisions on what sliver of this workforce is most interesting," Wiswell says, explaining that current challenges are focused on Linux and Microsoft systems, but in the future, might include hardware and other areas.
And to gain even more experience before graduation, Wiswell says she encourages students to take part in bug bounty programs to get connected to companies that might one day hire them.
"If you already have a lot of good skill and you're trying to hone skill—and make some cash—we think that bug bounty programs are a great way to do that," Wiswell explains to Security Management. "GRIMM is partnered with a couple bug bounty as a service providers to help them get in a broader group of individuals who are interested in participating, as well as companies that could benefit from hosting bug bounties themselves."