Editor’s Note: The report is attached here.
From: DHS
PREFACE
The cyber threat facing the nation has escalated sharply in recent years and come into clear focus.
In April 2009, the Wall Street Journal ran a front page article entitled “Electricity Grid in U.S. Penetrated by Spies,” and CNN showed proof that a cyber attack can cause a power generator to break apart.
At the same time, the technological wealth of Western nations continues to be systematically stolen through cyber attacks. In a private letter to the managing directors of the 300 largest companies in the United Kingdom, MI5 Director-General Jonathan Evans told the business leaders that their networks and systems, as well as those of their attorneys and advisors, were being penetrated with the same advanced attack techniques used to steal military secrets from defense agencies.
Federal civilian agencies have not been immune. Computers have been penetrated in the Bureau of Industry and Security, the U.S. Commerce Department agency responsible for holding data on “technologies too sensitive to export.”
DHS’s own systems have been under attack. In 2007, DHS CIO Scott Charbo testified that more than 840 cyber-related incidents—many involving malicious software designed to set up back doors to steal information and make changes to agency systems—had occurred during the two previous fiscal years and were continuing. A massive hacking attack in 2008 that impacted over 500,000 pages on websites worldwide infected a DHS website. Every visitor to the DHS site was sent malicious software designed to take over their computer and turn it into a zombie to distribute spam or attack other computers. While DHS detected and cleaned up the site the same day, the message was clear that the Department needed to deploy practices that were more aware, secure, nimble, and responsive to the growing volume and sophistication of cyber attacks.
Upon taking office in 2009, DHS Secretary Janet Napolitano recognized the urgency of the situation. In October of that year she announced a new excepted service hiring authority to enable DHS “to recruit the best cyber analysts, developers and engineers in the world to serve their country by leading the nation’s defenses against cyber threats.” Gaining Office of Personnel Management approval for the hiring authority promised a rapid build-up of knowledgeable cybersecurity staff at DHS.
Within months of Secretary Napolitano’s announcement, however, a new and sophisticated wave of attacks against U.S. industry was revealed. Google announced that it, along with more than 70 high-tech companies, had lost important intellectual property. Exxon-Mobil, Marathon, and Conoco-Phillips also revealed their systems had been penetrated by sophisticated nation-state actors.
These sophisticated attacks are the new norm, even penetrating the most protected, classified networks maintained by the U.S. military in a combat zone. Intrusion prevention suppliers reveal privately that their systems are unable to keep up with the sophistication of attacks, and anti-virus companies report that attackers are reverse-engineering the vendors’ antivirus software and building new viruses so sophisticated that the tools cannot stop them. Nor is the problem going away anytime soon—multiple sources have reported a sharp rise in attacks over the past six months; specific reports indicate a 200% increase in attacks and a spread to many organizations that have not previously been targets of nation-state attacks.
In the face of such burgeoning threats, DHS has determined to move immediately to the next level of capability, one built upon the very advanced technical skills necessary to not only respond to but get ahead of this new attack tempo. Finding the people with the needed skills, however, poses a dilemma. The numbers of professionals with these mission-critical skills are so limited that government contractors and federal agencies compete with one another and the private sector to hire them. Not surprisingly, a recent article in Bloomberg News reports that “the competition is fiercest for workers with hands-on experience defending systems against hackers and malicious viruses that can steal sensitive government data.” For DHS to acquire sufficient talent in such a competitive environment, it needs to radically expand the national pipeline of professionals with sophisticated technical cybersecurity skills.
On June 6, 2012, Secretary Napolitano announced the formation of a Task Force on CyberSkills with a two-part mandate: first, to identify the best ways DHS can foster the development of a national security workforce capable of meeting current and future cybersecurity challenges; and second, to outline how DHS can improve its capability to recruit and retain that sophisticated cybersecurity talent.
The Task Force on CyberSkills report is presented here. Secretary Napolitano gave the Task Force broad access inside DHS to gather data to better understand what has already been done and what needs to be done. This report identifies the models and resources throughout government and industry that will enable action to meet the cyberskills mandate. If implemented, its recommendations will not only expand the national pipeline of men and women with advanced cybersecurity skills, but will also enable DHS to become a preferred employer for the talent produced by that pipeline, positioning the Department to help make the United States safer, more secure, and more resilient.
Leave a Reply