ybercrime trend lines for 2023 are pointing to a banner year for cybercriminals. Lest anyone forget, the Federal Bureau of Investigation’s 2021 Internet Crime Report cited $7 billion in cybercrime-related losses, double the losses reported in 2019. Newer data from the 2022 Verizon Breach Report depicts a startling rise in ransomware – an almost 13% increase, as large as the last five years combined. It would have been scarcely imaginable a scant few years ago, but today half of all businesses are reporting being hit with cybercrime.
While it’s broadly recognized by governments that what happens in cyberspace constitutes a top international and national security issue, collective vision for what to do remains shrouded and mired. State actors may seek to foment instability or even gain profit themselves, such as by bypassing sanctions. Non-state actors have set up cybercrime as a service and are competing for dollars, driving the price of their services down as thinly-resourced defenders do their best to contend with a widening variety of threat actors.
Whether for prosaic criminal ends or obscure state objectives, both state and non-state actors have availed themselves of the current disordered environment and our collective dependence on cyberspace. While their goals aren’t always clear, what is clear is that lasting damage to trust in people, systems, and cyberspace is a feature of our time.
The attack surface of our global community is growing while the gains in security aren’t matching the needs, as I previously described in detail here and here. In short, it has been nearly twenty years since the acceptance that cyberspace is a domain in its own right and cybersecurity remains a work in progress.
Cybercriminals aren’t the only ones noticing gaps and seams. Over the past few years companies have moved into security spheres formerly occupied by governments. And for good reason, too: It can be argued that corporations cannot continue to maintain an increasing level of loss in terms of profit, fines, reputation, and damage. Consider that in most countries the majority of critical infrastructure lies in private hands. Sensing a vacuum and the risks of mounting losses and the prospect of uninsurability, multinational corporations have doubled down on calls for better behavior in cyberspace, public-private partnerships, criminal prosecution of the worst offenders, public attribution of cybercrime, and deploying greater technical solutions.
Where are all the people?
Largely unheralded in the public and political debates around what to do about the troubles in cyberspace is the persistent global shortage of skilled cybersecurity professionals. By 2025, indicators are pointing to an estimated shortage of 3.5 million unfulfilled jobs in cybersecurity. (Alas, it is not just cybersecurity that is suffering from a lack of talented people.)
Countries suffer both from the inability to train sufficient numbers of cyber workers and the wherewithal to retain them against the onslaught of daily struggles and stress, among other issues. Further, few institutions can afford the time it takes to hire and train employees, causing diffuse setbacks for organizations as they shed, attempt to acquire and spin up, talent. So just as cybercrime is rising, the cybersecurity workforce challenge is not going away.
At the human level, studies report that chief information security officers and other security professionals suffer greatly from the stress of their positions. When recently polled, 88% of CISOs reported they were moderately or tremendously stressed and 48% noted mental health concerns. CISOs working for government agencies and corporations have an enormous burden as well as an attractive skillset which is reflected in their short tenures: an average of 2 years, or roughly half that of chief information officers, according to a study by Korn Ferry. At the macro level—Great Resignation aside—education and training institutions are doubly challenged by both the pace of change in cybersecurity and the growing need to educate increasing numbers of professionals. They simply cannot keep up with the need.
Policies, Frameworks, and Volunteer Cyberwarriors
Given the state of affairs, governments worldwide are beginning to take action. Last September the US federal government published an in-depth “Call for Collective Action,” which is a inter-agency plan led by the Department of Defense, Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency, among others The plan seeks to address the cyber workforce challenge with a whole-of-government strategy to include such measures as standardized assessments for the workforce, improving diversity, and expanding creative means to retain cyber professionals. This plan comes after the US federal government adopted rules to allow for increased salaries for cybersecurity professionals, with some topping out at greater than the salary for the vice president of the United States.
Frameworks also play a critical role here. Many countries have adopted the NICE Workforce Framework, which was developed and freely shared by the US National Initiative of Cyber Security Education to assist employers of all sizes in the development of a cybersecurity workforce. The mission of NICE is to “energize and promote a robust network and an ecosystem of cybersecurity education, training and workforce development.” NICE is led by the US Department of Commerce and is a partnership between government, academia and the private sector that seeks to improve US cyber security education, training, and professional development.
In Europe this year ENISA, the European Agency for Cybersecurity, is set to publish the European Cybersecurity Skills Framework (ECSF)—dubbed “a practical tool to support the identification and articulation of tasks, competences, skills and knowledge associated with the roles of European cybersecurity professionals.” Across the world, many small countries are also exploring increased salaries, tax abatement strategies for cybersecurity professionals, as well as other incentives like permanent employment and continuous education.
To those new to this issue, the cybersecurity workforce challenge may not appear to be a dire national security emergency. But consider the case of Ukraine. Well prior to the most recent Russian invasion, Ukraine suffered from a massive brain drain of technical talent, placing it among the least able to retain talent in a study of 137 countries. After Russia’s 2022 invasion, Ukraine’s government devised a creative solution to their cyber talent shortage: a volunteer cyber army to help defend the nation and take the war to Russia. Necessity may be the mother of invention, but the issues here are profound and go well beyond Ukraine and Russia. To wit, the volunteer IT Army is just that—a volunteer collective that, while markedly easy to stand up, cannot easily be stood down. Should the war against Ukraine end or come to a stalemate, what will those newly trained hackers do with their skills? Furthermore, the line between principled hacktivism and illegal hacking is clear to those in law enforcement: whether as an act of civil disobedience or in pursuit of armchair foreign policy, however morally supportable, cyber attacks are illegal.
Pursuing Abundant Automation
Coming to terms with the cybersecurity workforce challenge will require government, corporations, and educational institutions working in concert. Technology will also play an increasingly critical role, particularly machine learning and automation. Today, automation must be recognized as an enabler that should be part of every organization’s security footing.
Criminals, ever the early adopters, are clearly aware of the virtues of automation. A recent McKinsey report notes that some of today’s rise of ransomware is likely due to criminals leveraging machine learning. As a practical matter, to combat the use of malign AI companies and governments will need to rely on still greater levels of automation.
Much has been written on the prospect of AI taking away people’s livelihoods, however automation in cybersecurity is about handling the tempo and complexity of threats. Machine learning augments human capacities by taking away drudgery. And while humanity may be no closer to achieving John Maynard Keynes’ prediction of a 15-hour work week delivered through abundant technology, machine learning in cybersecurity is freeing professionals to focus on top level challenges and the avoidance of emergencies.
With so much at stake, governments and corporations must work in earnest together. Leaving cybersecurity workforce plans up to the future is a recipe for ad-hoc policies, further loss of trust in cyberspace and, ultimately, entropy.
a global affairs media network
Global Security and the Cyber Workforce Challenge
Photo by Daniel Monteiro on Unsplash
February 20, 2023
Cybercrime is poised to have a huge 2023, with threats from both state and non-state actors proliferating. We need to fix the cybersecurity workforce shortage-and make smart use of cybersecurity automation-to meet this growing threat, writes Sean Costigan.
C
ybercrime trend lines for 2023 are pointing to a banner year for cybercriminals. Lest anyone forget, the Federal Bureau of Investigation’s 2021 Internet Crime Report cited $7 billion in cybercrime-related losses, double the losses reported in 2019. Newer data from the 2022 Verizon Breach Report depicts a startling rise in ransomware – an almost 13% increase, as large as the last five years combined. It would have been scarcely imaginable a scant few years ago, but today half of all businesses are reporting being hit with cybercrime.
While it’s broadly recognized by governments that what happens in cyberspace constitutes a top international and national security issue, collective vision for what to do remains shrouded and mired. State actors may seek to foment instability or even gain profit themselves, such as by bypassing sanctions. Non-state actors have set up cybercrime as a service and are competing for dollars, driving the price of their services down as thinly-resourced defenders do their best to contend with a widening variety of threat actors.
Whether for prosaic criminal ends or obscure state objectives, both state and non-state actors have availed themselves of the current disordered environment and our collective dependence on cyberspace. While their goals aren’t always clear, what is clear is that lasting damage to trust in people, systems, and cyberspace is a feature of our time.
The attack surface of our global community is growing while the gains in security aren’t matching the needs, as I previously described in detail here and here. In short, it has been nearly twenty years since the acceptance that cyberspace is a domain in its own right and cybersecurity remains a work in progress.
Cybercriminals aren’t the only ones noticing gaps and seams. Over the past few years companies have moved into security spheres formerly occupied by governments. And for good reason, too: It can be argued that corporations cannot continue to maintain an increasing level of loss in terms of profit, fines, reputation, and damage. Consider that in most countries the majority of critical infrastructure lies in private hands. Sensing a vacuum and the risks of mounting losses and the prospect of uninsurability, multinational corporations have doubled down on calls for better behavior in cyberspace, public-private partnerships, criminal prosecution of the worst offenders, public attribution of cybercrime, and deploying greater technical solutions.
Where are all the people?
Largely unheralded in the public and political debates around what to do about the troubles in cyberspace is the persistent global shortage of skilled cybersecurity professionals. By 2025, indicators are pointing to an estimated shortage of 3.5 million unfulfilled jobs in cybersecurity. (Alas, it is not just cybersecurity that is suffering from a lack of talented people.)
Countries suffer both from the inability to train sufficient numbers of cyber workers and the wherewithal to retain them against the onslaught of daily struggles and stress, among other issues. Further, few institutions can afford the time it takes to hire and train employees, causing diffuse setbacks for organizations as they shed, attempt to acquire and spin up, talent. So just as cybercrime is rising, the cybersecurity workforce challenge is not going away.
At the human level, studies report that chief information security officers and other security professionals suffer greatly from the stress of their positions. When recently polled, 88% of CISOs reported they were moderately or tremendously stressed and 48% noted mental health concerns. CISOs working for government agencies and corporations have an enormous burden as well as an attractive skillset which is reflected in their short tenures: an average of 2 years, or roughly half that of chief information officers, according to a study by Korn Ferry. At the macro level—Great Resignation aside—education and training institutions are doubly challenged by both the pace of change in cybersecurity and the growing need to educate increasing numbers of professionals. They simply cannot keep up with the need.
Policies, Frameworks, and Volunteer Cyberwarriors
Given the state of affairs, governments worldwide are beginning to take action. Last September the US federal government published an in-depth “Call for Collective Action,” which is a inter-agency plan led by the Department of Defense, Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency, among others The plan seeks to address the cyber workforce challenge with a whole-of-government strategy to include such measures as standardized assessments for the workforce, improving diversity, and expanding creative means to retain cyber professionals. This plan comes after the US federal government adopted rules to allow for increased salaries for cybersecurity professionals, with some topping out at greater than the salary for the vice president of the United States.
Frameworks also play a critical role here. Many countries have adopted the NICE Workforce Framework, which was developed and freely shared by the US National Initiative of Cyber Security Education to assist employers of all sizes in the development of a cybersecurity workforce. The mission of NICE is to “energize and promote a robust network and an ecosystem of cybersecurity education, training and workforce development.” NICE is led by the US Department of Commerce and is a partnership between government, academia and the private sector that seeks to improve US cyber security education, training, and professional development.
In Europe this year ENISA, the European Agency for Cybersecurity, is set to publish the European Cybersecurity Skills Framework (ECSF)—dubbed “a practical tool to support the identification and articulation of tasks, competences, skills and knowledge associated with the roles of European cybersecurity professionals.” Across the world, many small countries are also exploring increased salaries, tax abatement strategies for cybersecurity professionals, as well as other incentives like permanent employment and continuous education.
To those new to this issue, the cybersecurity workforce challenge may not appear to be a dire national security emergency. But consider the case of Ukraine. Well prior to the most recent Russian invasion, Ukraine suffered from a massive brain drain of technical talent, placing it among the least able to retain talent in a study of 137 countries. After Russia’s 2022 invasion, Ukraine’s government devised a creative solution to their cyber talent shortage: a volunteer cyber army to help defend the nation and take the war to Russia. Necessity may be the mother of invention, but the issues here are profound and go well beyond Ukraine and Russia. To wit, the volunteer IT Army is just that—a volunteer collective that, while markedly easy to stand up, cannot easily be stood down. Should the war against Ukraine end or come to a stalemate, what will those newly trained hackers do with their skills? Furthermore, the line between principled hacktivism and illegal hacking is clear to those in law enforcement: whether as an act of civil disobedience or in pursuit of armchair foreign policy, however morally supportable, cyber attacks are illegal.
Pursuing Abundant Automation
Coming to terms with the cybersecurity workforce challenge will require government, corporations, and educational institutions working in concert. Technology will also play an increasingly critical role, particularly machine learning and automation. Today, automation must be recognized as an enabler that should be part of every organization’s security footing.
Criminals, ever the early adopters, are clearly aware of the virtues of automation. A recent McKinsey report notes that some of today’s rise of ransomware is likely due to criminals leveraging machine learning. As a practical matter, to combat the use of malign AI companies and governments will need to rely on still greater levels of automation.
Much has been written on the prospect of AI taking away people’s livelihoods, however automation in cybersecurity is about handling the tempo and complexity of threats. Machine learning augments human capacities by taking away drudgery. And while humanity may be no closer to achieving John Maynard Keynes’ prediction of a 15-hour work week delivered through abundant technology, machine learning in cybersecurity is freeing professionals to focus on top level challenges and the avoidance of emergencies.
With so much at stake, governments and corporations must work in earnest together. Leaving cybersecurity workforce plans up to the future is a recipe for ad-hoc policies, further loss of trust in cyberspace and, ultimately, entropy.
