Security researchers are reacting to a cybersecurity workforce executive order from the White House that came down Thursday, aimed at improving the level of cyber-expertise at federal agencies.
While outlining no specific steps or actions, the order creates a directive to create “a superior cybersecurity workforce [that] will promote American prosperity and preserve peace,” and “strengthen the ability of the Nation to identify and mitigate cybersecurity vulnerabilities in critical infrastructure and defense systems.”
Measures include education and training programs; programs to retrain employees who are interested in joining the cybersecurity field; a “President’s Cup Cybersecurity Competition;” the implementation of the National Institute of Standards and Technology (NIST)’s NICE cybersecurity workforce framework into contracts for IT and cybersecurity services (NICE standardizes the language and terminology used to describe various cyber-functions and roles); and periodic evaluations of the level of cyber-knowledge on staff to determine if agencies are equipped with the right expertise needed for cyber-defense.
On a call with media on Thursday, officials said that another plan is to create a program for cybersecurity staffers to rotate between different agencies and roles, in order to build comprehensive, hands-on skill sets.
The cybersecurity space “represents an incredible economic opportunity for America’s workers — and my Administration is working to ensure they have the skills they need to seize it,” said President Donald Trump in a media statement. “These actions will enable more Americans to secure well-paying jobs that grow our Nation’s wealth and increase our security.”
Many researchers applauded the order, even though concrete details are not yet forthcoming on what its real-world implementation will look like.
“Trump has actually made quite a significant step towards boosting the U.S. government’s cybersecurity workforce and, more importantly, the capabilities of its existing staff,” said James Hadley, CEO of Immersive Labs, via email. “The focus on reskilling professionals and attracting fresh talent to fill the reported 300,000 person-wide gap is definitely along the right lines.”
He added, “But in reality, it’s the effort and resources being put towards upskilling current IT and cyber employees within federal government – and ensuring that they are well-equipped and kept constantly up-to-date on how to handle the latest threats – that will make the biggest impact over the longer term.”
Given today’s digital workforce, the need for all employees – not just those in IT security fields – to be cyber-minded is a necessity, according to Jon Check, senior director of Cyber Protection Solutions at Raytheon Intelligence, Information and Services.
“A well-educated, resilient workforce will not only help protect agencies and businesses from crippling data breaches, but will help prevent such breaches from escalating to national security emergencies,” he noted in an email. “This Executive Order is a big step towards future-proofing data security; the establishment of a cybersecurity rotational assignment program and agency aptitude assessments, in addition to increased public-private sector collaboration, will help bolster our cybersecurity workforce before talent gaps turn into major breaches.”
However, the lack of clear-cut policy directives in the executive order caught the notice of Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
“For this directive to succeed, government officials must do more than acknowledge the difficulty and urgency of addressing cybersecurity threats,” he said in an emailed statement. “For example, if this administration really wanted to go beyond policy declarations, they could take the advice of scores of industry experts and decide that we will not introduce encryption backdoors into consumer technology that will only weaken our defenses and aid our adversaries.”
How the government will pay for it is also top-of-mind for researchers; the order itself only vaguely mentions using a mix of federal and private funding. Thus, having realistic expectations is important, according to Pravin Kothari, founder and CEO of CipherCloud.
“The [E.O.] is a step in the right direction, but more needs to be done, and will require major funding and continuous investment for five to 10 years that may span over multiple administrations before we can see results,” Kothari said in an email. “While this Executive Order is a step in the right direction and further affirms the reality of cybersecurity as a widespread issue that touches every person and every industry, this just represents a down payment in the protection of our nation’s cyber infrastructure.”
The executive order is timely; a majority of security professionals believe it’s getting harder to recruit talent into the industry, according to a recent study from Tripwire.
Some 85 percent of respondents in the Tripwire 2019 Skills Gap Survey said their IT security departments are already understaffed, and just 1 percent said they can manage all of their organization’s cybersecurity needs with a shortfall in skills.
The rapid acceleration of the threat landscape and changing defensive requirements are creating the biggest challenge: 93 percent of respondents claimed that the skills required to be a great security professional have changed over the past few years.